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(54) Data communication system using public keys 

(57) A data communications system is described in 
which messages are processed using public key cryp- 
tography with a private key unique to one or more users 
(150) under the control of a portable security device 
(120), such as a smart card, held by each user, the sys- 
tem comprising: a server (1 30) for performing public key d> 
processing using the private key. The server (130) ~ 
stores, or has access to, the private key for the, or each, 
user in encrypted form only. The private key is encrypted 
with a key encrypting key and each security device (1 20) 
comprises means for storing or generating the key en- 
crypting key and providing the key encrypting key to the 
server (1 30). The server comprises secure means (360) 
to retrieve the encrypted private key for the user, decrypt 
the private key using the key encrypting key, perform 
the public key processing using the decrypted private 
key, and delete the decrypted private key after use. 
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Description 

The invention relates to data communications sys- 
tems and, more particularly, to the secure processing of 
messages therein using public key cryptography. The 
invention finds particular, though not exclusive, applica- 
tion to the generation of digital signatures. 

Public key cryptographic algorithms are widely 
used to certify the origin of or ensure the security or in- 
tegrity of messages in data communications systems. 
Various types of such algorithms exist of which one well 
known variant is the RSA algorithm. A general introduc- 
tion to public key cryptography and the RSA algorithm 
can be found in: Meyer and Matyas 'Cryptography - A 
New Dimension in Computer Data Security*, pages 32 
- 48, Wiley 1982. These algorithms have some distinct 
advantages over the more traditional symmetric key al- 
gorithms. In particular, they provide the ability for a key 
to be published or certified so that any independent third 
party can receive and verify a message without refer- 
ence to a central authority. 

One example of the use of public key cryptography 
in data communications is in the generation of digital sig- 
natures. The principle behind these techniques is the 
creation of a public digital value - the signature - which 
depends on a message to be transmitted and the sign- 
ing user, so the receiving user can be sure that the send- 
ing user, and no other user, could create the signature 
value, and that the user created the signature value for 
this message and no other. 

In such systems, the party signing a message has 
a private key for which there exists a corresponding pub- 
lic key. The public key is available so that anyone can 
use it to decrypt data which the signer encrypts using 
the private key, but no-one can create such encrypted 
data without access to the private key. 

Typically, the signer produces a hash value from the 
message using a strong hash algorithm, such that the 
chance of another message resulting in the same value 
is extremely low. The means of calculating this value is 
public knowledge but there is no feasible way to deter- 
mine a different message which results in the same val- 
ue. The signer encrypts the value using the private key, 
and sends the message and the encrypted value to the 
recipient. 

The recipient can use the public key to decrypt the 
value, and can test whether the calculation on the mes- 
sage produces the same value. If it does, this satisfies 
the recipient that the message was the one signed be- 
cause there is no feasible way to calculate another mes- 
sage which produces the same value. The recipient can 
also be sure that the signer did indeed sign the message 
because no-ono can create the encrypted value without 
access to the private key. 

However, such public key encryption schemes are 
computationally intensive and demand substantially 
higher computing resources, such as processing power 
and memory requirements, for encryption and decryp- 



tion than symmetric key schemes. 

In many applications of public key cryptography to 
data communications, the message must be processed 
under the control of a portable security device, such as 

5 a smart card, PCMCIA card or laptop computer, carried 
and presented by a user. Whilst methods have been pro- 
posed to enable messages to be signed with much less 
computational effort than they can be verified, such as 
in the US Department of Commerce/National Institue of 

io Standards and Technology (NIST) Digital Signature 
Standard published in Federal Information Processing 
Standard (FIPS) 186, May 19 1994, the situation re- 
mains that, using current technology, in many cases it 
is not practical or cost-effective to provide such portable 

75 security devices with the necessary processing power 
or memory to perlorm sufficiently strong public key 
processing in an acceptable time. 

Various methods have been proposed in the prior 
art to enable such a security device to perform the public 

20 Key processing with the aid of a powerful server compu- 
ter, without requiring the security device to reveal the 
secret key to the server. Examples of these techniques 
can be found, for example, in: Laih et al, Two efficient 
server-aided secret computation protocols based on the 

25 addition sequence*, Advances in Cryptology - Asiacrypt 
91 Proceedings 1993 pp450-459. 

Whilst these methods go some way to alleviating 
the problem, they suffer from several disadvantages in- 
herent in storing the secret key on a portable and low 

30 cost device. 

First, it is possible the device may be probed to ob- 
tain the secret key. 

Secondly, if the signer's private key is compro- 
mised, a different user might use it to process messag- 
es es. In this circumstance, a means is required to revoke 
the secret key so the unauthorised user can no longer 
use it. Since the security devices are not connected to 
the system at all times and could be reconnected to the 
system at any point, withdrawing or preventing use of 

^0 the secret keys is, in practice, very difficult. Typically this 
has been achieved using various types of user black- 
lists. However, there are~many practical difficulties as- 
sociated with controlling, updating and verifying the au- 
thenticity of such lists, particularly over widespread net- 

45 works. 

Furthermore, since some smart card implementa- 
tions which make use of public key algorithms lor sign- 
ing purposes cannot generate the user's public and pri- 
vate key pair within the smart card, there are potential 

50 security exposures when the key is initially loaded into 
the security device. This is because the key generation 
algorithm is quite complex, more so than the encryption 
and decryption functions. Therefore if it is required to 
store the secret key on the card then it may also be re- 

55 quired to generate the secret key off the card and to en- 
ter it onto the card during an initialisation process. This 
initialisation process inevitably exposes the key to some 
degree. 
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This invention is directed to the problem of providing 
a secure method of enabling messages to be processed 
using public key processing on behalf of the authorised 
holder of a portable security device, such as a smart 
card, in such a manner that it can be shown that only s 
the authorised holder of the security device could have 
authorised the processing of a particular message, with- 
out requiring the public key algorithm to be performed 
by the security device, without having to store the private 
key in the security device, and without requiring the key 
generation process to be performed by the security de- 
vice. 

To solve this problem, the invention provides a com- 
munications system in which messages are processed 
using public key cryptography with a private key unique 
to one or more users under the control of a portable se- 
curity device held by the, or each, user, the system com- 
prising: a server for performing public key processing 
using the private key, the server being adapted for data 
communication with the portable security device; char- 
acterised in that the server comprises, or has access to, 
data storage means in which is stored in a secure man- 
ner the private key for the, or each, user in encrypted 
form only, the private key being encrypted with a key 
encrypting key, the server comprising secure process- 
ing means to receive a message to be processed from 
the user, retrieve the encrypted private key for the user, 
decrypt the private key using the key encrypting key, 
perform the public key processing for the message us- 
ing the decrypted private key, and delete the key en- 
crypting key and decrypted private key after use, and in 
that each security device comprises means for storing 
or generating the key encrypting key and providing the 
key encrypting key to the server and means for specify- 
ing a message to be processed, the system being ar- 
ranged so that communication of at least the key en- 
crypting key to the server is secure and so that the serv- 
er can only use the key encrypting key to process the 
message specified by the user. 

A secure server is therefore provided to perform the 
public key algorithm. However, the server has access 
only to an encrypted form of the private key. A portable 
security device controls the public key processing by 
providing the server with a key to enable the server to 
decrypt the private key, use it, and delete the private key 
after use. 

The secure communication of the key encrypting 
key to the server can be accomplished in a number of 
ways. In preferred embodiments, the key encrypting key 
is encrypted using a key derived from a second key en- 
crypting key stored in the security device for transmis- 
sion between the security device and the server and the 
server has access to the second key encrypting key. In 
this way : communication of the key encrypting key to the 
server is secured by cryptographic means. In other em- 
bodiments, appropriate physical security of the commu- 
nication channel between the security device and the 
server could be used. 



Similarly, there are a number of ways of ensuring 
that the server can only use the key encrypting key to 
process the message provided by the user. In preferred 
embodiments, the key encrypting key is cryptographi- 
cally associated with a message to be processed and 
the secure processing means comprises means to ver- 
ify the association of the key encrypting key with the 
message and is arranged only to make use of the key 
encrypting key to process that message. Again, in other 
embodiments, appropriate physical security might be 
provided to ensure this. 

In one embodiment, the security device can encrypt 
the key encrypting key for transmission to the server us- 
ing a key derived from the message to be signed, there- 
by cryptographically associating the key encrypting key 
with the message. The server comprises secure means 
for extracting the key from the message and decrypting 
the key encrypting key. In this way, data transmitted by 
the security device can be used to decrypt the secret 
key for the original message only. It is not possible to 
intercept the transmission to the server and substitute 
the message for one not authorised by the user. 

It will be appreciated that there are many other ways 
of cryptographically binding the key encrypting key and 
the message. For example, a message authentication 
code which could be verified by the server might be de- 
rived from a combination of the message and the key. 

In one embodiment of the invention,, the key en- 
crypting key is stored in the security device as a revers- 
ible function of a password or PIN, the security device 
comprising means to receive the password from the us- 
er and being able to recover the key encrypting key us- 
ing the reversible function. This arrangement ensures 
that the data stored in a lost or stolen security device is 
not sufficient to enable a message to be generated 
which will permit the server to obtain access to the se- 
cret key. 

For convenience, the key encrypting key can be a 
one-way function of the private key. In this case, the 
server can check the recovered value of the private key 
by deriving therefrom the key-encrypting key and com- 
paring the derived value thereof with the value received 
from the security device. 

In further embodiments of the invention, the key en- 
crypting key can be a reversible function of a key stored 
in the security device and a random number, the server 
comprising means to provide the random number to the 
security device on request. 

Preferably, in such embodiments, the server is ar- 
ranged to reencrypt the private key each time it is used 
using a new random number, and to provide the new 
random number to the security device the next time it is 
required to perform public key processing for a user. 

The use of a random number ensures that the proc- 
ess makes use of a new key value for each transaction 
even if the messages are identical, thereby improving 
security still further. 

The invention also provides a portable security de- 
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vice, which can be a smart card, and a server for use in 
such a system. 

Viewed from another aspect, the invention also pro- 
vides a method for processing messages using public 
key cryptography with a private key unique to one or 
more users under the control of a portable security de- 
vice held by the, or each, user, in a system comprising: 
a server for performing public key processing using the 
private key, in which system the server is adapted for 
data communication with the portable security device; 
characterised by the steps of 
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Fig 8 illustrates the process carried out in the smart 
card in the second embodiment of the invention; 

Fig 9 illustrates the process carried out in the server 
in the second embodiment; 

Fig 10 is a schematic diagram showing the initiali- 
sation procedures for the second embodiment; 

Fig 1 1 is a flow diagram illustrating the initialisation 
procedures for the second embodiment. 



(a) storing in the server, or providing the server with 
access to, the private key for the, or each, user in 
encrypted form only, the private key being encrypt- 
ed with a key encrypting key; 

(b) storing or generating in the security device the 
key encrypting key and providing the key encrypting 
key to the server in a manner such that at least the 
key encrypting key is secure in communication to 
the server; and, 

in a secure environment in the server: 

(c) receiving a message to be processed specified 
by the user; 

(d) retrieving the encrypted private key for the user; 

(e) verifying that the message was that specified by 
the user; 

(f ) decrypting the private key using the key encrypt- 
ing key; 

(g) performing the public key processing for the 
message using the decrypted private key; and 

(h) deleting the decrypted private key and the key 
encrypting key after use. 

Embodiments of the invention will now be de- 
scribed, by way of example only, with reference to the 
accompanying drawings, wherein: 

Fig 1 shows a communications system; 

Fig 2 illustrates the generation of a digital signature; 

Fig 3 is a schematic diagram showing a simple first 
embodiment of the invention; 

Figs 4a and 4b illustrate processes carried out in 
the smart card and server in the first embodiment; 

Fig 5 illustrates enhancements to the system of Fig 

3; 

Figs 6a and 6b illustrate processes carried out in 
the smart card and server in the enhanced first em- 
bodiment; 

Fig 7 is a schematic diagram illustrating a second 
embodiment of the invention; 



Referring to Figure 1 , there is shown a communica- 
tions system which comprises communications network 

is 100 which may be any conventional type of local area 
network (LAN) or wide area network (WAN) or any com- 
bination ol the two. Connected to the communications 
network 100 is workstation 110 incorporating a smart 
card reader for operating in conjunction with smart card 

20 1 20. Also connected to network 1 00 are server compu- 
ter 1 30 and an intended recipient of a message, shown 
for the sake of example as mainframe computer 140. 
Workstation 110 could, for instance, be a point of sale 
terminal at a retail outlet. Smart card 120 is in the pos- 

25 session of user 1 50. The system is arranged so that user 
150 can certify a message, such as a debit instruction 
for the user's account, generated in workstation 110 us- 
ing a digital signature. The generation of the digital sig- 
nature in the system is performed by server 1 30 under 

30 the control of smart card 120. 

In the following, the notation E KEY (A) will be used 
to indicate the quantity A encrypted using a key KEY. 
This notation will be used for both public key and sym- 
metric cryptographic algorithms. The symbol + repre- 
ss sents an invertibie combination such as an XOR oper- 
ation or addition or multiplication mod p : where p is a 
non-secret prime number. 

It will be understood from what follows that, whilst 
in these embodiments server 1 30 is assumed, for clarity, 

40 to be a separate computer from workstation 110, the 
function ol server 130 could equally be performed by a 
process running in workstation 110 or in mainframe 
computer 140. Furthermore, whilst the embodiments 
are, for clarity described in terms of a single server 1 30, 

45 it is envisaged that other embodiments may include a 
plurality of such servers. 

Figure 2 Illustrates a simple example of the princi- 
ples behind the creation and use of digital signatures 
using public key cryptography. It will be understood that 

so this type of digital signature is only one among many 
techniques for the generation of digital signatures using 
public key cryptography any of which may equally be 
employed in other embodiments of the invention. 

Fig 2 shows two users who wish to communicate 

ss with each other and to be sure of the identity of the other. 
Each user has a public and private key pair PK and SK. 
Each user shares their public key with each other user. 
Normally, each user would keep secret their respective 
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private key. but the public keys would be available tor 
whoever wished to communicate with them. 

Suppose user A wishes to send a message MSG to 
user B over a data communications network. A digital 
signature is generated Irom the message by first gener- 
ating a hash value of the message using a strong hash- 
ing function, of which there are many known types. An 
example of a strong hash algorithm suitable for use in 
calculating digital signatures is described in US-A- 
4,908,861. The particular hashing function involved is 
assumed to be known to B. This hash value is then en- 
crypted using the secret key of A to generate a digital 
signature E SKa (Hash(MSG)). The message is then 
transmitted to user B along with the digital signature. 
User B can verify the authenticity of the message by de- 
crypting the digital signature using the public key PKa 
and comparing the value obtained with a hash value ob- 
tained from the message. 

In practice, the integrity of the public keys PKa 
would be certified by a third party whose role would be 
to certify keys. This would serve to satisfy B that PKa 
was indeed the public key associated with A and not with 
anybody else. Such certification and distribution of pub- 
lic keys is well known in the art and will not be further 
described herein. A discussion of these certificates can 
be found in CCITT Recommendation X.509 Directory 
Services (1988). 

Figure 3 is a schematic diagram showing the oper- 
ation of a simple first embodiment of the invention. Such 
an embodiment would be useful if the communications 
between the smart card and the server is separately se- 
cured by for example either physical or cryptographic 
means so that the keys and messages exchanged are 
protected. A variety of means are known to the art, such 
as the use of secure cabling, or the use of data encryp- 
tion and authentication. In such a high security environ- 
ment, the smart card would act as an additional control 
over the use of the server. 

Server 130 includes a secure cryptographic envi- 
ronment 360, such as that provided by the IBM 4755 
cryptographic adapter, and a disk storage device 350. 
The IBM 4755 cryptographic adapter stores crypto- 
graphic values securely on the storage device 350 un- 
der the protection of an encryption key, the local Master 
Key held within the secure cryptographic environment 
360. The IBM 4755 cryptographic adapter provides an 
encapsulated and tamper-resistant hardware environ- 
ment for performing such cryptographic tasks under the 
control of microcode resident therein. It is described in 
more detail in IBM Systems Journal Vol 30, No 2 1 991 , 
pp 206-229. 

The secret keys SK associated with a number of 
users A, B, C, D ... are stored securely in storage device 
350 in encrypted form. They are encrypted using a con- 
ventional symmetric cryptographic algorithm, such as 
the well known DES algorithm, using a user-specific key 
KEY. The user-specific key for user A, denoted KEYa, 
is stored in storage 370 in smart card 120 along with 



information identifying the user - designated A in Fig 3 
- which will enable the corresponding encrypted secret 
key to be retrieved from storage device 350. 

The process carried out by smart card 120 is illus- 

5 tratedinFig4a. When user A wishes to send a message 
MSG and an associated digital signature, smart card 
120 generates a hash value H of message MSG in step 
480 and encrypts in step 481 user-specific key KEYa 
using a conventional symmetric algorithm, such as 

10 DES, with the hash value H as the key. This encrypted 
value of the key is sent along with the message and the 
information identifying the user across the network to 
server 1 30 in step 482. 

The process carried out by server 130 is illustrated 

is in Fig 4b. Server 1 30 regenerates the hash value H from 
the message in step 491 and decrypts the user-specific 
key KEYa in step 492. This KEYa is used in the secure 
environment to decrypt and temporarily store the de- 
crypted value of the secret key of the user SKa in step 

20 493. This decrypted secret key is then used, within the 
secure environment 360, to generate the digital signa- 
ture for the message in step 494, which is then either 
sent out directly by server 1 30 to the intended recipient 
of the message, or returned to smart card 120 for sub- 

2S sequent transmission. Finally, KEYa, the message, the 
hash value and SKa are erased within secure environ- 
ment 360 in step 495. 

Since the server is provided with secure crypto- 
graphic environment 360 and can therefore be control- 
so led, assurance can be provided that the secret key SKa 
was used to sign only the original message, and that the 
message, its hash value H, SKa and KEYa have indeed 
been erased. The property of non-repudiation has there- 
fore been preserved. Furthermore, server 130 can be 

35 maintained on-line in a systems management environ- 
ment. If it is desired to rescind the ability of user .150 to 
generate digital signatures this can be easily achieved 
by deleting the encrypted value of SKa from storage 
350. No access is required to the contents of smart card 

40 120, which might not be physically available at the time 
it is desired to rescind this authority. 

Fig 5 is a schematic diagram illustrating an en- 
hanced version of the first embodiment of the invention. 
The mode of operation illustrated in Fig 3 is modified in 

45 a number of ways. 

First, user 1 50 has a Personal Identification number 
(PIN) which is used to ensure that only user 150 can 
make use of smart card 1 20. This is achieved in this em- 
bodiment by arranging the system so that the key with 

50 which the user's secret key is encrypted when stored in 
server 1 30 is a combination, in this embodiment an XOR 
function denoted by +, of data stored on the card, rep- 
resented as PKREVa in Fig 5, and the PIN, PINa in Fig 5. 
The authenticity of the PIN can be checked by the 

55 smart card by storing therein a value which is a one way 
function - in this case a strong hash - of the PIN. In this 
way, the PIN can be checked by regenerating the hash 
of the PIN supplied by the user and checking this against 
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the value stored in the card. This is illustrated by process 
410 of Fig 5. 

PKREVa is a reversible tunction of the PIN and a 
one-way function - in this case a strong hash - of the 
users secret key SKa. This one way lunction of the users 
secret key is denoted KOWFa in Fig 5. The reversible 
function can, for example, be a combination such as an 
XOR operation, or addition or multiplication mod p, 
where p is a non-secret prime number. In this way, the 
one-way function of the secret key KOWFa can be re- 
covered using PINa. Note that using this approach the 
user may change his PIN without reference to the serv- 
er. This can be done by the smart card using PKREVa 
with the old and new PINa to recalculate a new value of 
PKREVa using the following relation: 

PKREVa(old)+PINa(old)+PINa(new) = PKREVa(new) 

The process carried out in smart card 120 is illus- 
trated in Fig 6a. When user a wishes to sign a message 
MSG, the PIN and the message are provided to the 
smart card, which generates a hash value H of the mes- 
sage in step 690 and combines this with the data stored 
on the card KCARa in step 691 to form a transient, but 
complete, key encrypting key which is valid for one mes- 
sage only. The smart card also recovers KOWFa from 
PINa and PKREVa in step 692 and enciphers KOWFa 
in step 693 using the transient key encrypting key de- 
rivedf rom the message and KCARa. Note that the smart 
card stores neither the PIN nor the key used to encrypt 
the secret key. Therefore, disclosure of the data stored 
on a lost or stolen smart card does not enable use of the 
secret key. 

Smart card 120 creates a request 440 containing 
information identifying the user A, the enciphered value 
of KOWFa and the message. Request 440 is transmit- 
ted to server 130 over the network in step 694. 

The process carried out in server 130 is illustrated 
in Fig 6b. Server 130 receives the request either imme- 
diately or at some future time, generates a hash value 
H of the message in step 695, regenerates the transient 
key from the message hash value H and KCARa in step 
696, which has been retrieved in encrypted form from 
storage 350 and decrypted into clear form. The transient 
key is used to recover KOWFa in step 697 and, in turn, 
KOWFa is used to recover the user's secret key SKa in 
step 698. 

The values KCARa, KCARb, etc are stored in stor- 
age device 350 with confidentiality since otherwise they 
might be used to decrypt SKa by an adversary having 
intercepted transmission 440. 

In addition, the validity of the recovered value of 
SKa is checked by using the one way function to gen- 
erate KOWFa from the recovered secret key and com- 
paring this value with the value of KOWFa recovered 
from request 440. 

The recovered value of SKa is used within the se- 
cure cryptographic environment to generate the digital 
signature in step 699 in the manner described above. 



As before, the recovered values of SKa and other keys 
are erased from the secure cryptographic environment 
360 after use in step 700. 

Again, since server 1 30 includes the secure crypto- 

s graphic environment 360 and is controlled, assurance 
can be provided that only the original message was 
signed and that the secret key has indeed been erased 
from within the secure cryptographic environment 360. 
If it is desired to rescind the ability of user 150 to gen- 

io erate digital signatures this can be achieved by deleting 
either the encrypted value of SKa or KCARa from stor- 
age 350. 

Fig 7 is a schematic diagram illustrating a second 
embodiment of the invention. In this embodiment smart 
is card 1 20 associated with user A stores two key encrypt- 
ing keys KEK1 a and KCARa. Server 1 30 stores KCARa 
and one of a series of random numbers RNxa along with 
the encrypted form of the user's secret key. In this em- 
bodiment, the key used to encrypt the user's secret key 
20 is a combination of KEK1a with RNxa - denoted KEK1a 
+ RNxa in Fig 7. 

The process carried out by smart card 1 20 in this 
embodiment of the invention is illustrated in Fig 8. As 
before, a user 150 prepares a message MSG to be 
25 signed using their corresponding secret key SKa. User 
150 has a PIN - denoted PINa in Fig 7 which is entered 
and provided to smart card 120 via a suitable interface 
(1or example a keyboard, not shown). As before, smart 
card 120 authenticates user 150 by generating a hash 
30 of PINa and comparing this with a stored value POWFa 
using process 41 0. 

In step 880, smart card 120 sends a message to 
server 130 indicating that a message is to be signed. 
Server 1 30 responds by providing a current one of a se- 
as ries of random numbers RNxa to smart card 1 20. 

Smart card 120 generates a hash value H of the 
message MSG in step 881 then, calculates the key H + 
KCARa in step 882. The value KEK1a + RNxa is calcu- 
lated in smart card 1 20 in step 883 and encrypted in step 
40 884 using the key H + KCARa. 

Smart card 120 then passes a request containing 
card id ICARa, the encrypted value of KEK1a + RNxa, 
and the message over the network to server 1 30 in step 
885. Id ICARa enables the server to locate the keys as- 
45 sociated with user A. The protocol could also include the 
passing of RNxa back to server 1 30 which would allow 
a consistency check to be performed. 

The process carried out in server 130 is illustrated 
in Fig 9. In step BB6, server 1 30 regenerates the hash 
so value H from the message and computes the key H + 
KCARa in step BB7. Using this key, server 1 30 recovers 
KEK1a + RNxa in step 888 by decrypting E KCARa + H 
(KEK1 a+RNxa) with KCARa + H and recovers the user's 
secret key SKa in step 889 by decrypting E KEK1a+RNxa 
ss (SKa) with KEK1a+RNxa. The message is then signed 
as before in step 890. 

Server 130 then calculates KEK1a in step 891 by 
recombining a securely stored value of RNxa with 



6 



iNSDOCID- <EP 072551 2A2_I_> 



11 



EP0 725 512 A2 



KEK1a + RNxa. A new random number RN(x+1)a is 
then generated in step 892 for use in the next invocation 
of the algorithm. RN(x+1)a is combined with KEK1a in 
step 893 and used to reencrypt the user's private key in 
step 894 prior to storage in storage device 350 in step 
896. RN(x+1 )a is also stored securely in storage device 
350, replacing RNxa. The clear value of KEK1a in se- 
cure environment 360 is then deleted in step 895, along 
with the clear value of the user's private key SKa, KEK1a 
+ RNxa and KEK1a + RN(x+1)a. 

This arrangement prevents the authorization quan- 
tity E KCARa + H (KEK1a + RNxa) along with the message 
MSG being used to generate another digital signature, 
by extracting the variant key KEKIa + RNxa 

Fig 10 is a schematic diagram showing the initiali- 
sation procedures used in the embodiment of Fig 7. 

The initialisation process carried out is illustrated in 
Fig 11. Server 130 generates in step 751 the following 
cryptographic keys for user A. 

1. First key encrypting key KEKIa 

2. Second key encrypting key KCARa 

3. A public and private key pair, PKa and SKa, for 
use with the public key algorithm. 

Having generated the keys, server 130 provides 
KEK1 a and KCARa to smart card 1 20 in step 752. Serv- 
er 1 30 then causes PKa and SKa to be initialised within 
the cryptographic system by requesting appropriate cer- 
tificates for PKa and making PKa available throughout 
the network (not shown). 

Server 130 then generates an random number 
RN1a in step 753 and combines this with KEKIa in step 
754 to produce a variant key KEKIa + RNla. SKa is 
then encrypted in step 755 using the variant key to form 
the encrypted quantity E KEKla+RNln (SKa). 

A PIN for user A, PINa, is generated in step 756 
along with a hash value POWFa in step 757. PINa is 
provided to user A in step 758, eg by post, and POWFa 
is stored on smart card 1 20 along with user identification 
data ICARa in step 759. 

KCARa, RN1a and E KEK1a+RN1a (SKa) are stored 
securely in storage 350 in step 760 and the clear values 
of SKa, KCARa, KEKIa and their derivatives are erased 
from the secure cryptographic environment 360 in step 
761. 

In embodiments in which there exist in the system 
more than one server 1 30 capabable of performing pub- 
lic key processing on behalf of user 1 50, and when it is 
desired to distribute SKa to each additional server node, 
the following process can be performed when the server 
360 has SKa in a clear form, which is at the time of gen- 
eration of SKa and whenever the user provides a mes- 
sage to be digitally signed to the server. At this time the 
server having posession of the clear value of SKa will 
create an additional RNxa value for the extra server 
node and prepare an extra enciphered copy of SKa us- 
ing the same process, 892, 893, and 894, as is used to 
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obtain a local newly enciphered SKa value. Then the 
server node will send the additional value of RNxa and 
KCARa, with confidentiality, along with the related enci- 
phered value of SKa to the additional node. All extra val- 
s ues of RNxa and associated enciphered values of SKa 
are destroyed within the server at the conclusion of this 
process. 

This process will ensure that each additional server 
node can operate independently with the user with the 
io preservation of the property of non-repudiation. 

It will be understood that secure methods exist for 
distributing cryptographic keys such as KEKIa, KCARa 
and SKa between secure cryptographic servers within 
a network. 

75 

Claims 

A communications system 

in which messages are processed using public 
key cryptography with a private key (SKa) 
unique to one or more users (150) under the 
control of a portable security device (120) held 
by the, or each, user, 

the system comprising: 

a server (130) for performing public key 
30 processing using the private key; 

the server (130) being adapted for data com- 
munication with the portable security device 
(120); 

35 

characterised in that 

the server (130) comprises, or has access to, 
data storage means in which is stored in a se- 
40 cure manner the private key for the, or each, 

user in encrypted form only, 

the private key being encrypted with a key en- 
crypting key (KEYa; KOWFa; KEKIa + RNxa), 

45 

the server comprising secure processing 
means (360) to receive a message to be proc- 
essed from the user, retrieve the encrypted pri- 
vate key for the user, decrypt the private key 
50 using the key encrypting key, perform the public 

key processing for the message using the de- 
crypted private key, and delete the key encrypt- 
ing key and decrypted private key after use, 

55 and in that each security device (1 20) compris- 

es means for storing or generating the key en- 
crypting key and providing the key encrypting 
key to the server (1 30) and means for specify- 
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ing a message to be processed, 

the system being arranged so that communica- 
tion of at least the key encrypting key to the 
server is secure and so that the server can only 
use the key encrypting key to process the mes- 
sage specified by the user. 

2. A system as claimed in claim 1 wherein the key en- 
crypting key is encrypted using a key derived from 
a second key encrypting key (KCARa) stored in the 
security device (120), for transmission between the 
security device and the server, the server (130) 
comprising, or having access to, data storage 
means in which the second key encrypting key is 
stored in a secure manner, whereby communication 
of the key encrypting key to the server is secure. 

3. A system as claimed in claim 1 or claim 2 wherein 
the key encrypting key is cryptographically associ- 
ated with a message to be processed, the secure 
processing means comprising means to verify the 
association of the key encrypting key with the mes- 
sage and being arranged only to make use of the 
key encrypting key to process that message. 

4. A system as claimed in claim 3 wherein the security 
device comprises means to encrypt the key en- 
crypting key for transmission to the server using a 
key derived from the message to be signed, the 
server comprising secure means (360) for generat- 
ing the key from the message and decrypting the 
key encrypting key. 

5. A system as claimed in any preceding claim wherein 
the key encrypting key is stored in the security de- 
vice as a reversible function of a password (PINa), 
the system comprising means to receive from the 
user (150), and provide to the security device, the 
password., the security device comprising means to 
recover the key encrypting key using the reversible 
function. 

6. A system as claimed in any preceding claim wherein 
the key encrypting key (KOWFa) is a one-way func- 
tion of the private key, the server comprising means 
to check the recovered value of the private key by 
deriving therefrom the key-encrypting key and com- 
paring the derived value thereof with the value re- 
ceived from the security device. 

7. A system as claimed in any preceding claim wherein 
the key encrypting key is a reversible function of a 
key stored in the security device (KEK1 a) and a ran- 
dom number (RNxa), the server (130) comprising 
means to provide the random number to the secu- 
rity device (120), wherein the server (130) is ar- 
ranged to reencrypt the private key each time it is 



used using a new random number, and to provide 
the new random number to the security device the 
next time it is required to perform public key 
processing for a user. 

5 

8. A portable security device for use in a communica- 
tions system as claimed in any preceding claim, the 
portable security device (120) being adapted to 
communicate data to a server and comprising 

10 means for storing or generating the key encrypting 
key and providing the key encrypting key to the 
server (1 30). 

9. A portable security device as claimed in claim 8 in 
is the form of a smart card. 

10. A server for use in a communications system as 
claimed in any of claims 1 to 7, the server (1 30) be- 
ing adapted for data communications with a porta- 

20 ble security device and comprising, or having 
means to access, secure storage means- (350) in- 
which the private key for the, or each, user is stored 
in encrypted form only, the private key being en- 
crypted with a key encrypting key, the server com- 

2S prising secure means (360) to retrieve the encrypt- 
ed private key for the user, decrypt the private key 
using the key encrypting key, perform the public key 
processing using the decrypted private key, and de- 
lete the decrypted private key and the key encrypt- 

30 ing key after use. 

1 1 . A method for processing messages using public key 
cryptography with a private key (SKa) unique to one 
or more users (150) under the control of a portable 

35 security device (120) held by the, or each, user, in 
a system comprising: a server (130) for performing 
public key processing using the private key, in which 
system the server ( 1 30) is adapted for data commu- 
nication with the portable security device (120); 

40 characterised by the steps of 

(a) storing in the server, or providing the server 
with access to, the private key for the, or each, 
user in encrypted form only, the private key be- 

45 jng encrypted with a key encrypting key (KEYa; 

KOWFa; KEK1 i+RNI i); 

(b) storing or generating in the security device 
the key encrypting key and providing the key 

so encrypting key to the server (1 30) in a manner 

such that at least the key encrypting key is se- 
cure in communication to the server; 
and, 

in a secure environment in the server (1 30): 

55 

(c) receiving a message to be processed spec- 
ified by the user; 



JNSDOCID: <FP n7?RR1?A? I > 



15 EP 0 725 512 A2 

(d) retrieving the encrypted private key for the 
user; 

(e) verifying that the message was that speci- 
fied by the user; s 

(f ) decrypting the private key using the key en- 
crypting key; 

(g) performing the public key processing for the io 
message using the decrypted private key; and 

(h) deleting the decrypted private key and the 
key encrypting key after use. 

is 
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